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ABSTRACT 
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1.0 INTRODUCTION 



Computers and telecommunication systems are 
increasingly being used to process and transport 
information that is sensitive to an individual, 
a company, or society. There are several trends , 
which the widespread adoption of standard high- 
level network protocols will intensify, that 
emphasize the need to develop network security 
mechanisms . 

The security problem can be subdivided into the 
problem of privacy and the authentication 
problem. The privacy problem consists in 
preventing someone other than the legitimate 
receiver from extracting information from the 
communication channel; the authentication 
problem consists in preventing someone other 
than the legitimate sender from modifying or 
injecting data into the channel . so that the 
receiver can be sure that he actually received 
the original message from the legitimate sender. 

The most appropriate and practical means to 
provide privacy and authentication in 
communication networks is by using encryption. 
This paper takes a look at the implementation of 
encryption in large communication networks and 
spesifically ISDN* In our present age of 
standardisation of encryption algorithms, the 
only element that is still secret is the 
encryption keys. For this reason special 
attention will be given to the problems and the 
implementation of key distribution in ISDN. The 
following main topics will be covered; 

• Overview of basic encryption concepts 

• The key distribution problem 

• Key distribution fundamentals 

• Secure communication procedure for large 
networks 

• Imolementat ion m ISDN 



Cryptography is too broad a subject to be 
discussed here in any depth. We will limit 
ourselves to explain only those concepts 
necessary for the discussion of a secure 
communications procedure for ISDN. If more 
information are required, substantial literature 
can be found in books and 3ournals II, &}• 

A cipher is an algorithmic transformation 
performed on a symbol -by-symbol basis on any 
data. The terms encipherment and encryption 
refer synonymously to the application of a 
cipher to data. An encryption algorithm is any 
algorithm that implements a cipher. The readable 
input to an encryption algorithm is referred to 
as a cleartext or plaintext, while the scrambled 
output from the algorithm is called ciphertext. 
The transformation .performed on the cleartext to 
encipher it is controlled by a key. For use in 
the communication context » the encryption 
algorithm must be invertible; that is, there 
must be a matching decryption algorithm that 
reverses the encryption transformation when 
presented with the appropriate key* 

2 • 1 Encryption systems 

Encryption systems can be divided into two 
classes, i.e. symmetrical (conventional) systems 
and asymmetrical (public key) systems. 

2 .1.1 Conventional systems 

In conventional systems the encryption and 
decryption keys are identical . Such a key must 
be kept secret « known only to authorized users. 
Authorized users can use the key both to encrypt 
their own messages, and to decrypt messages that 
others have encrypted using it. Fig. 1 
illustrates these aspect.s of a conventional 
system. Keys need to be exchanged between users, 
often over a slow secure channel, for example a 
private courier, and che number of keys can be 
very large » if every pair of users requires a 
different key. This creates a key distribution 
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problem which is partially solved in the public 
key systems. Examples of conventional systems 
are the Data encryption standard (DBS) and rotor 
ciphers. 

2.1.2 Public key systems 
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This procedure takes care of the privacy 
problem, but since anyone can transmit a message 
to a user A under that user's public key Ap 
some additional mechanism is needed to securely 
identify pr authenticate the sender. 
Identification is accomplished by having the 
sender E encrypt the message under his secret 
key Bs » then under the public key of the 
intended receiver Ap . The receiver can ther 
strip off the outer layer of encryption using 
his secret key As, and complete the deciphering 
using the public key of the sender Bp. Anyone 
with access to the public key can verify that it 
must have been encrypted with the corresponding 
secret key, but is of no help in creating 
(forging) a message. This phenomenon is called 
a digital signature and is shown in Figure 2, 

One of the supposed advantages of a public-key 
cryptosystem is that public keys may be freely 
distributed without concern for secrecy. But the 
need for authentication in the distribution of 
public keys in an open-system environment 
results in' there being few differences between 
public-key and conventional-key distribution 
mechanisms [11. 

The most successful implementation of a public 
key system is the RSA-system I3J- This system 
makes joint use of the fact that factoring is 
much harder than multiplying, and that taking 
either roots or logarithms is much harder than 
exponentiating. It has recently been proposed by 
the CCITT and ISO as a strong authentication 
mechanism for use as part of a directory server 
141 . 

The biggest problem regarding public-key systems 
IS that that they are computationally very 
involved. Software employing this type of 
encryption is very slow. The fastest hardware 
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implementation of the RSA achieves bit rates of 
about 10 kBit/s which is too slow for on line ^ 
encryption of 64 kBit/s data. 

2.2 Approaches to communication security 
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p'ICURE 2: A PUSLIC KEY CIPHER 



3.n Tlir KEY DISTRIBUTION PROBLEM 

Conventional encryption requires that for 
ensurino secure communications, communicators 
roust have keys that' are identical. This lead to 
the so called key distribution problem in a 
larae network of communicators who wish to 
communicate with each other securely. Xf all 
communicators in the network are using the same 
key, and if the key is compromised by any one 
communicator, then the whole network is 
compromised. Thus for n users to communicate 
with each other securely in a network, nln-l)/2 
different keys are required. The number of keys 
thus grow as the square of the number of users 
who want to communicate. These keys must be 
distributed to the users via private and secure 
channels which are normally couriers. Moreover, 
for reliability reasons, keys must be produced 
and distributed* not once, but constantly. They 
must be changed with the passage of time or when 
they are feared compromised. 

In a large network with a large number of users, 
this is a mammoth if not impossible task to 
perform using couriers *only. Only a key 
distribution service, using the network itself 
as a bearer, can make such a system feasible. 
This key distribution service can be provided by . 
the network or another third party to provide 
automatic electronic key distribution over the 
network . 

4,0 KEY DISTRIBUTION FUNDAMENTALS 

To be able to use a cryptographic system, key» 
must be distributed to the communicating 
entities (users, processes). If bilateral key 
distribution is used, each principal involved in 
an association can reliably verify the identity 
of the principal at the other end. But this 
approach, by itself, has the problem that two 
principals always use the same key (call it the 
long term key). To extend this approach to allow 
a per-asaociation key, the key must be securely 
distributed to each end of the association. One 
method of distribution is to transmit the per- 
association key at association initiation time, 
encrypted under the long term key. 

Keys held for long periods of time and used 
exclusively for the transmission of per- 
association keys are referred to as master keys. 
One or more keys used during the course of a 
single association are referred to as session 
keys. Thus, master keys are used to authenticate 
principals, and to protect transmitted session 
keys, while session keys are used exclusively to 
encrypt the messages of a single association. 
Message key are generated for each message 
e-ncrypted and are not secret. They *re used to 
ensure that every message is encrypted with a 
dif^er etft iCBJVaftnrfeaTn . 
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FIGURE 3: mybrio system 

Managinq such a large number of keys can be 
cumbersome and expensive. For example* if the 
mascer key Ixst on a host. ia subverted, all 
users on that list must be notified. If a user 
loses his list of master keys, all hosts on that 
list must be notified. In order to reduce the 
proliferation of master keys significantly, the 
concept of trusted intermedia ra.es such as key 
certification centres has been developed. 



5.0 SECURE 
NETWORKS 



COMMUNICATION PROCEDURE FOR LARGE 



The main objective we want to achieve with this 
procedure is to provide automatic key 
distribution over the network and also to do 
away with the requirement that every time a user 
wanes to communicate with another user he must 
first approach a trusted third party to obtain a 
session key. This procedure will only need the 
user to contact the trusted third party once, 
and that is when he joins the network initially. 
In this way there will be no need for an on-line 
third party and overhead will be much reduced. 



5.1 Hybrid encryption 
certification centres. 



system and 



key 



The procedure is based on a combination of 
conventional systems and the public key systems 
to provide a so called hybrid system. The moat 
suicable public key algorithm for this purpose 
is the RSA algorithm (3] developed by Rivest, 
Shamir and Adleman. In the hybrid system the 
key distribution is being done with the public 
key system, and the encrypl:ion of Che data with 
a conventional system. This overcomes the 
problem of the slow speed of the RSA public key 
system and gives us the combined advantages of 
the speed of the the conventional systems as 
well as the key distribution and authentication 



properties of the public key system. See Figure 
3 for a hybrid ayatem and Figure 4 for a 
description of the basic building blocks of the 
user end equipment. 

With only conventional encryption, for A and B 
to establish a secure communication link between 
them they must first have an exchange of secret 
numbers which are encryption keys. With a public 
key system like the RSA algorithm, A and B can 
estabJiuh a secure communication link between 
them by first exchanging non-secret public keya. 
In either case the exchange of numbers must be 
certified. That is, A must be assured that the 
key received are indeed from B and vjce versa. 

Suppose A and B are on]y two members of a large 
communications network of users where any two 
network users may want to establish a secure 
communication link at any time. An off-line 
network key certification cencer <KCC1 can be 
established so that all users' public keys can 
be certified. That ia, each user in the network 
can generate public keys and have them certified 
by the key certification center. After a one 
time certification of a public key, a user can 
send his certified public key to any other user 
who can then automatically verify its 
authent icity . 

The KCC generates its own public and secret key 
and all users in the network have knowledge of 
the certification center's public key. The key 
pairs of the users can be generated by 
themselves or by the KCC. Assume that the KCC 
generate the user's key pairs. The KCC then 
encrypts the user's public key and 
LdenLi f ication number with his own secret key 
and place this together with his public key and 
A's secret key on a smart card. The data is 
encrypted on the smart card by using A ' b- 
peraonal identification number (PIN). See Figure 
5 for a description of the KCC. Also included in 
the certificate, is a period of validity of the 
certificate, which consists of two dates, the 
first and last on which the certificate is 
valid . 

Prom this point on A will send his certified 
key whenever he wants to establish a secure 
communication link with another user in ttj<e 
network. Any user who receives A*s certified 
public key can obtain the public key and 
identification number by decrypting it using the 
KCC'c public key and know that it is indeed A's 
public key. He will then send his certificate to 
A and A will then establish in the same way 
whether it is B*s public key or not. These 
public keys can then be used to exchange a 
secret key for the actual message encryption by 
using a conventional encryption system. 
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FIGURE 5: Key certification center 

The procedure mast also be protected against 
what xs known as playback attacks. The only way 
to do this is to include authentication tokens 
in the certificates. The procedure is very 
similar to the three way strong authentication 
method 14) proposed by the CCITT and ISO for the 
Directory authentication framework. The 
difference is that with the CCITT proposal the 
user A who initiates the connection first have 
to obtain the public key of B, and B*s 
certificate prior to the exchange of any 
information. This may involve access to the 
Directory of the KCC. In the proposed procedure 
the strong three way authentication method has 
been adapted to allow secure exchange of 
information without without having to access the 
KCC directory or to know B ' s publ ic key . The 
procedure is* indicated in Figure 6 and is as 
follow. 

5 . 2 Details of the secure communication 
procedure . 

Encryption of a message M with a key Ap is 
indicated by 

Apf M 1 

The following notation is used for the 
description of the procedure: 

A - Unique identification name of A 

Ap - Public key of A As - Secret key of A 

Bp - Public key of B Bs - Secret key of B 

Np - Public key of certification center 

Ns - Secret key of certification center 

CERTa - Certificate of user A 

TI - Validity period of certificate 

Ra.Rb.Rc - Random numbers with sequential parts 

by the counters 

The procedure is as follow: 

1. A generates Ra, a random number, which is 
used to deteck replay attacks and to prevent 
forgery. Ra include a sequential part that is 
generated by Counter A and la every r ime checked 
for Its value uniqueness during every session. 
Because Ra forms part of a token that is only 
signed but not encrypted, it can only be used as 
part of the message key for the conventional 
cypher and not as a part of the secret key for 
this cypher . 

2. A then sends the following message to B: 

CERTa , As I Ra, B ] 




where B as the identity number of B and the 
latter component is the authentication token. 

3. B then carries out the following actions: 

a. obtains Ap from CERTa by decrypting using Np 
and he also checks that A*s certificate has not 
expired . 

b. verifies the signature, and thus the 
integrity of the signed information. 

4. B generates Rb, a random number used for 
similar purposes as Ra . This number without the 
sequential part can be used to form part of the 
secret key because it forms part of a token that 
IS signed and encrypted - 

5. B sends the following message to A: 

CERTb. Api 'Bs ! Rb, A. Ra i i 

6. A the carries out the following actions: 

a. Obtains Bp from CERTb by decrypting using Np 
and he also checks that B*s certificate has not 
expired . 

b. deciphers the authentication token, then 
verify the signature, and thus the integrity of 
the signed information. 

7. A also checks that the received Ra is 
identical to the Ra which was sent. 

6. A then generates Rc and test it. Rc is 
another random number which is generated for the 
purpose to be combined with Rb to form the 
secret keys for the conventional encryption 
system. Once the session is over, all three the 
generated random numbers will be destroyed and 
only their sequential parts will be kept for 
reference , 

9. A then sends the following authentication 
token to B: 

Bpl As! Rb, Rc) ) 

10. B carries out the following actions: 

a. deciphers the authentication token, the© 
checks the signature and thus the integrity . of 
the signed information. 

b. Checks that the received Rb is identical to 
the Rb which was sent. 

The advantages of this system is that the KCC is 
off-line and that the users have to approach it 
only once and that is when their public keys 
are certified when they join the network. There 
is thus no need to distribute lengthy 
directories. There is also no potential 
bottleneck to get a new session key from an 
online key distribution center each time you 
want to communicate. Another advantage is that 
the users themselves can generate their own 
public and secret keys or it can be done for 
them by the KCC. By using a hybrid system the 
users also have the added advantage of digital 
signatures and authentication. 

This hybrid system can also be adapted for 
application in a variety of communication 
systems, such as point-to-point 

communication, packet switching networks, 

-eiect-ror(*c ffta-il -sy stains -^nd EFT-POS systems.^ 
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Fig. 6: 



Secure communication procedure based on the 
strong three way authentication method. 



5.3 Physical security of keys 



It is clear from the discussion of the KCC 
concept that the security of the users secret 
keys. is the most important aspect in the 
network. If these keys are compromised all 
communication with t:hat specific user is 
comproma.3ed . Special care will then have to be 
taken to ensure their physical security. As they 
will be transported by courier, the method of 
protection must also be practical and highly 
secure . 

It is recommended that the best way to protect 
these keys is to store them encrypted on smart 
cards. The keys themselves are saved encrypted 
in the card's memory and can only be retrieved 
from the card if put into the correct encryption 
device and if the correct PIN number is given to 
the on-card microprocessor. 

6,0 IMPLEMENTATION IN ISDN 

One of the main properties of ISDN is that a 
signalling/data channel, independant of the 
information channel, is always available to the 
terminal equipment and can be used for key 
distribution and security service management. 
The ISDN structure and its protocols also allow 
for the integration of the key distribution 
function into the procedure for the 
establishment of a circuit-switched connection 
(I5j and t6)l. We will now describe the 
integration into ISDN, of the procedure 
described in 5.0, to perform key distribution 
on the D-channei in association with a circuit 
switched connection. It is assumed that CCTTT 
recommendations 'Q .'9TC a nd .'^'20 are a'dopte'ci 'tor 



layers 1 and 2 and the layer 3 of the procedure 
is based on recommendation Q.930. 0*Higginu 17} 
described a similar procedure for ISDN but which 
also makes use of exponential key exchange. This 
procedure also needs access to an online key 
distribution center. 
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Exchange A then went on to use the common 
channel signalling network to establish a user- 
information channel with exchange B as 
indicated. This exchange then goes on with the 
procedure by transferring a SETUP message across 
the interface of the called subscriber B. The 
message, in addition to the other information, 
includes A*s certificate and authentication 
token in the USER DATA field. User B then 
establish the authenticity of A's certificate 
and token. If he is satisfied, he responds with 
an ALERT message which includes his certificate 
and authentication token in the USER DATA field 
as indicated. The originating exchange then 
transf-ers this across the calling user 
interface . 
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A now authenticates the certificate and token of 
B. If he IS not satisfied, the terminal sends to 
the network a DISCONNECT message, indicating in 
the message the cause of the call clearing 
reouest. The B terminal acts analogously. If for 
this terminal the checks are satisfactory, it 
sends to the network a CONNECT message and the 
exchange A. upon receiving it, sends a CONNECT 
message to the calling user interface, to 
indicate that the connection has been 
establ ished . 
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d message of the tree way authentication 
onsists only of A's token, is then 
red to B using the user-to-user 
ng via temporary signalling connection 
If B IS satxsfied after he has 
cated the token, the transmission which 
between A and B is encrypted using a key 
a combination of the random numbers Rb 
B can however initiate a connection 
if he IB not satisfied with the 
cation of A. 



Even while the messages which are sent over the 
B-channei are encrypted, the secret key of the 
conventional cipher can be continually changed 
using the user-to-user signalling via temporary 
signal connection facility over the D-channel 
without interrupting the communications on the 
9-channel. ISDN D-channel signalling also 
makes calling party identification available 
from the network and this is one more level of 
security that can be applied. 

7.0 CONCLUSION 

Privacy and authentication are the two most 
important security requirements in communication 
networks and encryption is the most appropriate 
and practical mechanism to provide communication 
secur 1 ty . 

A secure communication procedure based on a 
hybrid encryption system and the strong three 
way authentication method of the CCITT and ISO 
isproposed as an effective solution of the key 
distribuion problem. The most important 

advantage of this procedure is that the user 
need only to approach a trusted third party 
once, and that jls when he join the network. 



In a hybrid system a public key algorithm ia ' 
used to distribute secret keys over the network . 
which are then used as the keys for a 
conventional system to encrypt the data 
messages. The KCC must be based on a hybrid 
system which make use of the RSA algorithm. It 
xs also recommended that the encryption keys be 
kept on smart cards to ensure that they do not 
get compromised. 

It is shown that ISDN offers many advantages 
compared to the current switched telephone 
network. The ISDN structure and its protocols 
allow for the integration of the key 
distribution and authentication function in the 
procedure for the establishment of a circuit 
switched connection. Signalling on the D-channel 
can be used .to monitor and update keying 
information on the terminal. even whiie B- 
channels are active and without deactivating the 
channel. The packet data service on the D- 
channel also provides an effxcient means of 
communication to a centralized key management 
facilitv if oniv conventional ciphers are used. 
Another" advantage due to ISDN signalling is that 
calling partv identification is available, which 
IS another security element that can be used to 
authenticate users and connections. 

There is increasing concern for information 
security in civil communication systems. These 
securicy services are beyond what can be 
delivered using only the current network.* but 
they are within the capabilities of ISDN. 
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